Share

While most of the focus at last Friday’s Joint Committee on Intelligence and Security hearing with the Attorney-General’s Department focused on the definition of data retention and the extensive work that department had put into preparing data retention laws in secret, part of it revolved around an issue of longer-term and perhaps international significance: the quest to extend Australian attacks on privacy and anonymity offshore.

It dealt with three related issues, all raised by Andrew Wilkie’s rather Socratic question to AGD officials (a transcript has not yet been made available by Hansard) — whether the proposals under consideration would simply affect law-abiding citizens while the targets of these proposed significant extensions of state surveillance powers, the bad guys, would use encryption tools and offshore-based services to avoid detection.

The stakes here are broader than simply for the privacy of Australian citizens. Governments around the world, democratic or otherwise, want to rein in the internet, to “civilize it”: they see it as a wild west that needs the rule of law imposed on it. And one of their greatest frustrations is the difficulty of essentially national agencies in dealing with something that is innately global, meaning governments have to resort to complex, hard-to-negotiate international agreements to effectively impose control on it.

So far, that has proved difficult. For every European Cybercrime Convention, there are dozens of jurisdictional issues about the internet. English judges and lawyers rage futilely at the way social media defeats superinjunctions. US content companies demand ever more ridiculous laws to prevent filesharing. Irish newspaper sites carry prohibited details of Australian criminal cases. The Chinese dictatorship has to resort to hacking and social engineering to try to access dissidents’ offshore-based email accounts.

It’s clear that anglophone governments, at least, are working to stop this. The three issues canvassed in the discussion that ensued from Wilkie’s question shed light on both what the Australian government has been doing, and the attitude of officials.

First, there’s government-to-government cooperation. AGD Secretary Roger Wilkins told the committee that his department was considering pursuing with the governments of the United States, the United Kingdom, Canada and New Zealand the possible harmonisation of data retention laws. Wilkins declined to talk further about such discussions, preferring to tell the committee at the in-camera hearing that followed.

However, the government has previously admitted it is in talks with other governments about imposing a common data retention regime. ZDNet reported last year on bilateral talks with the US about a shared data retention regime. The US is the key government for such discussions given the dominance of US-based social media, email and VOIP providers.

The US doesn’t have a data retention regime but it does have a data preservation regime, under which law enforcement and intelligence agencies can demand telcos and ISPs retain data of an identified user for up to 90 days while they obtain a subpoena to access it. Australia has a similar regime. Both countries are also parties to the European Cybercrime Convention, under which signatories are required to order the preservation of data at the request of another government. Australian laws were amended earlier this year to permit this.

Australia, of course, has long worked closely with anglophone countries on intelligence-sharing, right back to WW2 and its aftermath. We’re also participants in anglophone-dominated international online crime taskforces like the Virtual Global Taskforce (which targets child abuse) and the “quintet” of anglophone Attorneys-General. So the building blocks of an international data preservation scheme, the institutional framework, is already in place; these could be used for an international data retention scheme.

AGD officials also said they had held discussions with major offshore social media providers and had made some progress with them, although they seemed to suggest Facebook and Google had been their interlocutors; Twitter has been far more reluctant to comply with requests for user data even from the US government. AGD insists that if a service is provided to Australians then the service provider must comply with Australian laws.

But this is more obscure territory: any agreement by, just for example’s sake, Facebook and the Australian government to retain telecommunications data would be voluntary and would not abrogate Facebook’s obligations under US law. Moreover, exactly to what it would relate is the key issue: Facebook might be quite happy to agree to a data preservation regime but refuse to engage on a data retention regime; it might cooperate with one-off issues (say, a life-and-death or high-profile criminal case) without committing to a systemic policy. AGD officials were also unable to answer Wilkie’s question about what, in the context of social media, “telecommunications data” actually meant.

Despite these discussions, Wilkins agreed with Wilkie that offshore-based providers’ compliance with Australian law was “on a whim”, which is patently an undesirable situation: neither law enforcement agencies nor users thus have any certainty about the status of private data.

When Wilkie raised the issue of encryption, specifically referring to Tor, Wilkins’s response was more, well, direct. “We’ll demand the encryption keys,” he said. Wilkins may not have specifically had Tor in mind when he made such an open-ended statement, but I asked Jacob Appelbaum, security research and Tor developer for his views about Wilkins’s comments.

Appelbaum pointed out Tor doesn’t even use permanent encryption keys. “What keys? All *encryption* keys are temporary, only used during a given session — never written down, never known by admin. It is clear that people like Roger Wilkins do not even know what they’re talking about when they make such statements. Will Roger Wilkins demand that we change a secure architecture into an insecure one to suit the expansion of authoritarianism?”

In response to a question from Phillip Ruddock, Wilkins said AGD had also discussed forcing offshore-based encryption providers to disclose encryption keys with other governments. In the event governments are able to negotiate such “mutual assistance” agreements with each other, encryption using decentralised systems like Tor will be the only solution for anyone wishing to preserve basic privacy.

This bears watching. Governments do want to regulate the internet. And your privacy is the target.

6 thoughts on “Assembling the building blocks of global net regulation”

It is seriously difficult to comment on any of this without sounding like some kind of wacko conspiracy nut. It can be a bind.

But, I don’t think any balanced person would mind “too” much at losing a small degree of privacy on a temporary one-off basis, not a systemic basis, if it meant bringing some really “bad guy” or international thug, to justice.

But who are the “really bad guys” anyway? If the really bad guys employ the most sophisticated IT systems to avoid detection, which they would, then all that remains in this massive international dragnet, would be the regular mums and dads, kids and all the innocuous social media data that goes with them. Corporate and commercial interests aside, this is totally useless in the context of counter intelligence and international intrigue.

So, who are the really bad guys? Is this a case of providing a logical answer to the illogical question?

The ‘bad guy’ is anyone the US MIC, MSM, Federal Reserve & their merchant bank cronies and the one foreign government with a DC based lobby group, want removed from the main propoganda game. These orgs are the US’s on-going ‘shadow government’ who in fact call the shots

Since the erosion of their power began after 2000 with the rise of the net, they’ve seen a global awareness emerge of their previous complete control of US Government & its allies’ propoganda…and young Americans don’t like what they have come to understand.

The US’s shadow Government want to smash alternative, credible news organisations such as the UK’s Media Lens to name but one…..check out the lame duck session of the US Congress after the Presidential elections to see if they don’t try to push a draconian set of controls over the net.

Bureaucrats behind closed doors plotting to deny the people access to free media is both comical, in the “Yes Minister” tradition, and bleak, in the darkest Orwellian sense.

Comical in their smug expectation of having the power to control a global phenomenon, that is still only in its first stages of evolution, and is not centralised in any way, and which is already essential to the functioning of our economy and society.

Bleak because of the measures they would have to take to actually deny us access to each other, to knowledge and the means to expose who and what are truly in power.

Some can see we are in the early stages of a global conflict, between the delusion industry that serves secret power, and human freedom.

What happens now determines our fate. If people unite to demand internet freedom, before a conspiracy of bureaucrats can shackle it, a global equivalent of an “Arab Spring” will emerge, and this technology will serve us well. But if the people leave it too late, this pleasant little society will collapse into something more like the reality in Syria, or the nightmare fiction of 1984.

Who cares? If govt’s try; they’ll fail as they always do. We all know just how hopeless they are from experience. People will just use proxies/encryption from jurisdictions that aren’t covered. If the govt tries to force ISP’s to restrict traffic to/from such sites, they’ll just come up with some kind of moving target (where they move the proxy every time it’s blocked) or cloud solution. Sounds like another one of Comrade Conroy’s fantasies (along with having middle age men wearing underpants on their heads at spectrum auctions).

Yes, James Munro, a technological solution is not likely to be effective. So political measures will be required, and this is the danger …

If secret services have power to deny you access to your Crikey account, for example, that power will inevitably be used to serve corrupt self-interest. Unaccountable power is always abused. Unaccountable power always benefits the most corrupt self-interest. The real sin is not the act that abuses power, it is the granting of unaccountable power in the first place.

An analogy – a policeman kills a man by using a taser 18 times. Shock, horror – power is abused. The real sin is equipping police with a taser that can be used 18 times on the same victim. The fundamental sin is failing to act on the wisdom that all unaccountable power will be abused.

To grant any organisation the power to intervene between people and the internet would be a catastrophic mistake …